alpersonalwebsite / basic-vue-sibling Goto Github PK
View Code? Open in Web Editor NEWEventBus and communication between sibling components
EventBus and communication between sibling components
Serialize JavaScript to a superset of JSON that includes regular expressions and functions.
Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json
Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/serialize-javascript/package.json,/tmp/ws-scm/basic-vue-sibling/node_modules/copy-webpack-plugin/node_modules/serialize-javascript/package.json
Dependency Hierarchy:
Found in HEAD commit: e248a1bf63f8561d013059a11c37a43816232613
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Publish Date: 2020-06-01
URL: CVE-2020-7660
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660
Release Date: 2020-06-01
Fix Resolution: serialize-javascript - 3.1.0
Step up your Open Source Security Game with WhiteSource here
6.0.1
to 6.0.2
.π¨ View failing branch.
This version is covered by your current version range and after updating it in your project the build failed.
eslint-plugin-vue is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
no-async-in-computed-properties
.require-prop-type-constructor
.require-prop-type-constructor
.All commits: v6.0.1 -> v6.0.2
The new version differs by 7 commits.
2e75458
version 6.0.2
959298f
Fixed broken links. (#1010)
4476263
Fixed a bug that source code is broken by autofix of require-prop-type-constructor. (#1009)
acb48eb
Fixed lint error on CI (#1008)
2418da7
Fixed an issue that caused an error when extra commas were included in require-prop-type-constructor
(#963)
b412783
Fixed false positives inside the ternary operator in no-async-in-computed-properties
(#962)
e8f130c
Typescript doc for vue/html-indent (#989)
See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Dependency Hierarchy:
Found in HEAD commit: a40cb6cb8792709af22db74e8cf95f0f9e56cedf
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.4.0.tgz
Dependency Hierarchy:
Found in HEAD commit: a40cb6cb8792709af22db74e8cf95f0f9e56cedf
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-08
URL: WS-2020-0042
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-08
Fix Resolution: 7.1.1
Step up your Open Source Security Game with WhiteSource here
6.7.0
to 6.7.1
.π¨ View failing branch.
This version is covered by your current version range and after updating it in your project the build failed.
eslint is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
Severity | CVSS Score | CVE | GitHub Issue |
---|---|---|---|
Medium | 6.1 | CVE-2015-9251 | #4 |
Medium | 6.1 | CVE-2012-6708 | #3 |
Medium | 4.3 | WS-2016-0090 | #5 |
The new version differs by 4 commits.
af95154
6.7.1
9361824
Build: changelog update for 6.7.1
dd1e9f4
Fix: revert changes to key-spacing due to regression (#12598)
c644b54
Docs: Update README team and sponsors
See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz
Dependency Hierarchy:
Found in HEAD commit: acb3ab1e71d0faadfc8366774100727ae9ecb2af
Found in base branch: master
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
Release Date: 2020-07-15
Fix Resolution: ajv - 6.12.3
Step up your Open Source Security Game with WhiteSource here
An elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-html/package.json
Dependency Hierarchy:
Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e
Found in base branch: master
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution (ansi-html): 0.0.8
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Dependency Hierarchy:
Found in HEAD commit: acb3ab1e71d0faadfc8366774100727ae9ecb2af
Found in base branch: master
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)
Publish Date: 2021-02-15
URL: CVE-2020-28500
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e
Found in base branch: master
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
4.1.0
to 4.1.1
.π¨ View failing branch.
This version is covered by your current version range and after updating it in your project the build failed.
@vue/cli-plugin-eslint is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
Severity | CVSS Score | CVE | GitHub Issue |
---|---|---|---|
Medium | 6.1 | CVE-2015-9251 | #4 |
Medium | 6.1 | CVE-2012-6708 | #3 |
Medium | 4.3 | WS-2016-0090 | #5 |
The new version differs by 3 commits.
2ddcc65
v4.1.1
dd98fa6
fix: fix tsx compilation (#4894)
d21245d
workflow: correctly decide which dist-tag to use
See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: basic-vue-sibling/package.json
Path to vulnerable library: basic-vue-sibling/node_modules/copy-webpack-plugin/node_modules/glob-parent/package.json,basic-vue-sibling/node_modules/webpack-dev-server/node_modules/glob-parent/package.json,basic-vue-sibling/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json,basic-vue-sibling/node_modules/fast-glob/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e
Found in base branch: master
Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.
Publish Date: 2021-01-27
URL: WS-2021-0154
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
Release Date: 2021-01-27
Fix Resolution: glob-parent - 5.1.2
Step up your Open Source Security Game with WhiteSource here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
url-parse is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2021-07-26
URL: CVE-2021-3664
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
Release Date: 2021-07-26
Fix Resolution (url-parse): 1.5.2
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
10.0.3
to 10.1.0
.π¨ View failing branch.
This version is covered by your current version range and after updating it in your project the build failed.
babel-eslint is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
Severity | CVSS Score | CVE | GitHub Issue |
---|---|---|---|
Medium | 6.1 | CVE-2015-9251 | #4 |
Medium | 6.1 | CVE-2012-6708 | #3 |
Medium | 4.3 | WS-2016-0090 | #5 |
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e
Found in base branch: master
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
JSON Schema validation and specifications
Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-schema/package.json
Dependency Hierarchy:
Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e
Found in base branch: master
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-11-13
URL: CVE-2021-3918
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918
Release Date: 2021-11-13
Fix Resolution (json-schema): 0.4.0
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.18
Step up your Open Source Security Game with Mend here
Check if a string or buffer is SVG
Library home page: https://registry.npmjs.org/is-svg/-/is-svg-3.0.0.tgz
Path to dependency file: basic-vue-sibling/package.json
Path to vulnerable library: basic-vue-sibling/node_modules/is-svg/package.json
Dependency Hierarchy:
Found in HEAD commit: 3997eac951ab5c0ef47f187a9135e1f0fb07c40a
Found in base branch: master
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Publish Date: 2021-03-12
URL: CVE-2021-28092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28092
Release Date: 2021-03-12
Fix Resolution: v4.2.2
Step up your Open Source Security Game with WhiteSource here
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mini-css-extract-plugin/node_modules/normalize-url/package.json
Dependency Hierarchy:
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e
Found in base branch: master
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Step up your Open Source Security Game with Mend here
4.1.0
to 4.1.1
.π¨ View failing branch.
This version is covered by your current version range and after updating it in your project the build failed.
@vue/cli-plugin-babel is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
Severity | CVSS Score | CVE | GitHub Issue |
---|---|---|---|
Medium | 6.1 | CVE-2015-9251 | #4 |
Medium | 6.1 | CVE-2012-6708 | #3 |
Medium | 4.3 | WS-2016-0090 | #5 |
The new version differs by 3 commits.
2ddcc65
v4.1.1
dd98fa6
fix: fix tsx compilation (#4894)
d21245d
workflow: correctly decide which dist-tag to use
See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html
Path to vulnerable library: /basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html,/basic-vue-sibling/node_modules/sockjs/examples/express/index.html,/basic-vue-sibling/node_modules/sockjs/examples/echo/index.html,/basic-vue-sibling/node_modules/sockjs/examples/hapi/html/index.html,/basic-vue-sibling/node_modules/sockjs/examples/multiplex/index.html
Dependency Hierarchy:
Found in HEAD commit: 33a0d75f5055ee37ce221d07ef926045a0b01574
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html
Path to vulnerable library: /basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html,/basic-vue-sibling/node_modules/sockjs/examples/express/index.html,/basic-vue-sibling/node_modules/sockjs/examples/echo/index.html,/basic-vue-sibling/node_modules/sockjs/examples/hapi/html/index.html,/basic-vue-sibling/node_modules/sockjs/examples/multiplex/index.html
Dependency Hierarchy:
Found in HEAD commit: 33a0d75f5055ee37ce221d07ef926045a0b01574
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with WhiteSource here
the bare-bones internationalization library used by yargs
Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz
Path to dependency file: basic-vue-sibling/package.json
Path to vulnerable library: basic-vue-sibling/node_modules/y18n/package.json
Dependency Hierarchy:
Found in HEAD commit: 3bc4fe907c3087308feb0e3a3e5e0444f4a3ab6e
Found in base branch: master
This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
Publish Date: 2020-11-17
URL: CVE-2020-7774
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
Release Date: 2020-11-17
Fix Resolution: 5.0.5
Step up your Open Source Security Game with WhiteSource here
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
Library home page: https://registry.npmjs.org/ssri/-/ssri-6.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ssri/package.json
Dependency Hierarchy:
Found in HEAD commit: 3997eac951ab5c0ef47f187a9135e1f0fb07c40a
Found in base branch: master
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Publish Date: 2021-03-12
URL: CVE-2021-27290
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vx3p-948g-6vhq
Release Date: 2021-03-12
Fix Resolution: ssri - 6.0.2,7.1.1,8.0.1
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html
Path to vulnerable library: /basic-vue-sibling/node_modules/sockjs/examples/express-3.x/index.html,/basic-vue-sibling/node_modules/sockjs/examples/express/index.html,/basic-vue-sibling/node_modules/sockjs/examples/echo/index.html,/basic-vue-sibling/node_modules/sockjs/examples/hapi/html/index.html,/basic-vue-sibling/node_modules/sockjs/examples/multiplex/index.html
Dependency Hierarchy:
Found in HEAD commit: 33a0d75f5055ee37ce221d07ef926045a0b01574
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e
Found in base branch: master
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
Step up your Open Source Security Game with Mend here
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex/package.json,/node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/ansi-regex/package.json,/node_modules/@soda/friendly-errors-webpack-plugin/node_modules/strip-ansi/node_modules/ansi-regex/package.json,/node_modules/webpack-dev-server/node_modules/cliui/node_modules/ansi-regex/package.json,/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@soda/friendly-errors-webpack-plugin/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/strip-ansi/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e
Found in base branch: master
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.18
Step up your Open Source Security Game with Mend here
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json
Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/dot-prop/package.json
Dependency Hierarchy:
Found in HEAD commit: ab84b7e15f76255a524336f7a39b9ec2d4b2975b
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
Step up your Open Source Security Game with WhiteSource here
dependency
vue was updated from 2.6.10
to 2.6.11
.devDependency
vue-template-compiler was updated from 2.6.10
to 2.6.11
.π¨ View failing branch.
This version is covered by your current version range and after updating it in your project the build failed.
This monorepo update includes releases of one or more dependencies which all belong to the vue group definition.
vue is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.
Severity | CVSS Score | CVE | GitHub Issue |
---|---|---|---|
Medium | 6.1 | CVE-2015-9251 | #4 |
Medium | 6.1 | CVE-2012-6708 | #3 |
Medium | 4.3 | WS-2016-0090 | #5 |
vue-server-renderer
's dependency of serialize-javascript
to 2.1.2The new version differs by 81 commits.
ec78fc8
build: release 2.6.11
a98048f
build: build 2.6.11
fc41f91
chore: update yarn.lock
70429c3
build(deps-dev): bump serialize-javascript from 1.3.0 to 2.1.2 (#10914)
9fbd416
chore: update sponsors [ci skip] (#10896)
a974022
chore: update backers [ci skip] (#10895)
6b4c0f9
chore: typo in comment
fd0eaf9
chore: update sponsors [ci skip] (#10841)
2c6a827
chore: update sponsors [ci skip] (#10821)
f796ab4
chore: update sponsors [ci skip] (#10800)
276c082
chore: update backers [ci skip] (#10799)
4821149
fix(types): fix prop constructor type inference (#10779)
9f5563c
chore: update sponsors [ci skip]
b805a19
build(deps-dev): bump lodash.template from 4.4.0 to 4.5.0 (#10636)
bd47e5b
build(deps-dev): bump lodash from 4.17.11 to 4.17.13 (#10635)
There are 81 commits in total.
See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
3.4.2
to 3.4.3
.π¨ View failing branch.
This version is covered by your current version range and after updating it in your project the build failed.
core-js is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.
Severity | CVSS Score | CVE | GitHub Issue |
---|---|---|---|
Medium | 6.1 | CVE-2015-9251 | #4 |
Medium | 6.1 | CVE-2012-6708 | #3 |
Medium | 4.3 | WS-2016-0090 | #5 |
es.json.stringify
and some modules from iteration helpers proposal in some entry pointsString#{ endsWith, startsWith }
MDN polyfills bugs, #702.size
property descriptor of Map
/ Set
in the pure versionThere is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Publish Date: 2022-02-21
URL: CVE-2022-0691
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
Release Date: 2022-02-21
Fix Resolution (url-parse): 1.5.9
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Dependency Hierarchy:
Found in HEAD commit: acb3ab1e71d0faadfc8366774100727ae9ecb2af
Found in base branch: master
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.16.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserslist/package.json
Dependency Hierarchy:
Found in base branch: master
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution: browserslist - 4.16.5
Step up your Open Source Security Game with WhiteSource here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e
Found in base branch: master
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json
Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: e5a33c2685111877211c5d2bdc84b7515e6ccd4d
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
4.1.0
to 4.1.1
.π¨ View failing branch.
This version is covered by your current version range and after updating it in your project the build failed.
@vue/cli-service is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
Severity | CVSS Score | CVE | GitHub Issue |
---|---|---|---|
Medium | 6.1 | CVE-2015-9251 | #4 |
Medium | 6.1 | CVE-2012-6708 | #3 |
Medium | 4.3 | WS-2016-0090 | #5 |
The new version differs by 3 commits.
2ddcc65
v4.1.1
dd98fa6
fix: fix tsx compilation (#4894)
d21245d
workflow: correctly decide which dist-tag to use
See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/path-parse/package.json
Dependency Hierarchy:
Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e
Found in base branch: master
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/copy-webpack-plugin/node_modules/glob-parent/package.json,/node_modules/webpack-dev-server/node_modules/glob-parent/package.json,/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json,/node_modules/fast-glob/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Publish Date: 2022-02-20
URL: CVE-2022-0686
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
Release Date: 2022-02-20
Fix Resolution (url-parse): 1.5.8
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.7.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/body-parser/node_modules/qs/package.json,/node_modules/express/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 7352a271cd9b2dd942c262bc566cb90b88aa589e
Found in base branch: master
A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.
Publish Date: 2022-03-17
URL: CVE-2021-44907
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44907
Release Date: 2022-03-17
Fix Resolution: qs - 6.8.1
Step up your Open Source Security Game with WhiteSource here
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ejs/package.json
Dependency Hierarchy:
Found in HEAD commit: 854271c1285a357b179dc4dce834a7145f0a564e
Found in base branch: master
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-01-22
Fix Resolution (ejs): 3.1.6
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json
Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/is-accessor-descriptor/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-4.0.0.tgz
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json
Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/has-values/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-6.0.2.tgz
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json
Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/kind-of/package.json
Dependency Hierarchy:
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-5.1.0.tgz
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json
Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/is-descriptor/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in HEAD commit: 1edff4aa28097191fcdc4e70f4b79abc610f5356
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Step up your Open Source Security Game with WhiteSource here
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json
Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/webpack-dev-server/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: d4fa973a1deb6251248ff51a601892687829c23d
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
Step up your Open Source Security Game with WhiteSource here
Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab
Library home page: https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hosted-git-info/package.json
Dependency Hierarchy:
Found in HEAD commit: 3997eac951ab5c0ef47f187a9135e1f0fb07c40a
Found in base branch: master
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Publish Date: 2021-03-23
URL: CVE-2021-23362
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43f8-2h32-f4cj
Release Date: 2021-03-23
Fix Resolution (hosted-git-info): 2.8.9
Direct dependency fix Resolution (@vue/cli-plugin-babel): 4.5.14
Step up your Open Source Security Game with WhiteSource here
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /tmp/ws-scm/basic-vue-sibling/package.json
Path to vulnerable library: /tmp/ws-scm/basic-vue-sibling/node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: e5a33c2685111877211c5d2bdc84b7515e6ccd4d
all versions before 6.5.2 of elliptic are vulnerable to Timing Attack through side-channels.
Publish Date: 2019-11-13
URL: WS-2019-0424
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.
Publish Date: 2022-02-14
URL: CVE-2022-0512
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
Release Date: 2022-02-14
Fix Resolution (url-parse): 1.5.6
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
Small footprint URL parser that works seamlessly across Node.js and browser environments
Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/url-parse/package.json
Dependency Hierarchy:
Found in base branch: master
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7.
Publish Date: 2022-02-17
URL: CVE-2022-0639
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
Release Date: 2022-02-17
Fix Resolution (url-parse): 1.5.7
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.
Publish Date: 2022-01-06
URL: CVE-2022-0122
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (@vue/cli-service): 5.0.1
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.